Checking Satisfiability by Dependency Sequents 



Eugene Goldberg, Panagiotis Manolios 
Northeastern University, USA {eigold,pete}@ccs .neu. edu 



Abstract. We introduce a new algorithm for checking satisfiability based 
on a calculus of Dependency sequents (D-sequents). Given a CNF for- 
mula F(X), a D-sequent is a record stating that under a partial assign- 
ment a set of variables of X is redundant in formula 3X[.F]. The D- 
sequent calculus is based on operation jovn that forms a new D-sequent 
from two existing ones. The new algorithm solves the quantified ver- 
sion of SAT. That is, given a satisfiable formula F, it, in general, does 
not produce an assignment satisfying F. The new algorithm is called 
DS-QSAT where DS stands for Dependency Sequent and Q for Quan- 
tified. Importantly, a DPLL-like procedure is only a special case of DS- 
QSAT where a very restricted kind of D-sequents is used. We argue that 
this restriction a) adversely affects scalability of SAT-solvers b) is caused 
by looking for an explicit satisfying assignment rather than just proving 
satisfiability. We give experimental results substantiating these claims. 

1 Introduction 

Algorithms for solving the Boolean satisfiability problem are an important part 
of modern design flows. Despite great progress in the performance of such algo- 
rithms achieved recently, the scalability of SAT-solvers still remains a big issue. 
In this paper, we address this issue by introducing a new method of satisfiability 
checking that can be viewed as a descendant of the DP procedure [5] . 

We consider Boolean formulas represented in Conjunctive Normal Form (CNF). 
Given a CNF formula F(X), one can formulate two different kinds of satisfiabil- 
ity checking problems. We will refer to the problems of the first kind as QSAT 
where Q stands for quantified. Solving QSAT means just checking if 3X[F] is 
true. In particular, if F is satisfiable, a QSAT-solver does not have to produce 
an assignment satisfying F. The problems of the second kind that we will refer 
to as just SAT are a special case of those of the first kind. If F is satisfiable, a 
SAT-solver has to produce an assignment satisfying F. 

Intuitively, QSAT should be easier than SAT because a QSAT-solver needs 
to return only one bit of information. This intuition is substantiated by the fact 
that checking if an integer number N is prime (i.e. answering the question if 
non-trivial factors of N exist) is polynomial while finding factors of N explicitly 
is believed to be hard. However, the situation among practical algorithms defies 
this intuition. Currently, the field is dominated by procedures based on DPLL 
algorithm p] that is by SAT-solvers. On the other hand, a classical QSAT-solver, 
the DP procedure [3j , does not have any competitive descendants (although some 



elements of the DP procedure are used in formula preprocessing performed by 
SAT-solvers 0). 

In this paper, we introduce a QSAT-solver called DS-QSAT where DS stands 
for Dependency Sequent. On the one hand, DS-QSAT can be viewed as a de- 
scendant of the DP procedure. On the other hand, DPLL-like procedures with 
clause learning is a special case of DS-QSAT. Like DP procedure, DS-QSAT is 
based on the idea of elimination of redundant variables. A variable v £ X is 
redundant in 3A[F] if the latter is equivalent to 3X[F \ F v ] where F v is the set 
of all clauses of F with v. Note that removal of clauses of F v produces a formula 
that is equisatisfiable rather than functionally equivalent to F. 

If F is satisfiable, all variables of X are redundant in 3X[F] because an empty 
set of clauses is satisfiable. If F is unsatisfiable, one can make the variables of F 
redundant by deriving an empty clause and adding it to F. An empty clause is 
unsatisfiable, hence all other clauses of F can be dropped. So, from the viewpoint 
of DS-QSAT, the only difference between satisfiable and unsatisfiable formulas 
is as follows. If F is satisfiable, its variables are already redundant and one just 
needs to prove this redundancy. If F is unsatisfiable, one has to make variables 
redundant by derivation and adding to F an empty clause. 

The DP procedure makes a variable v of X redundant in one step, by adding 
to F all clauses that can be produced by resolution on v. This is extremely 
inefficient due to generation of prohibitively large sets of clauses even for very 
small formulas. DS-QSAT addresses this problem by using branching. The idea 
is to prove redundancy of variables in subspaces and then "merge" the obtained 
results. DS-QSAT records the fact that a set of variables Z is redundant in 
3A[F] in subspace specified by partial assignment q as (3X[F],r) — > Z. Here 
r is a subset of the assignments of q relevant to redundancy of Z. The record 
(3A[F],r) — > Z is called a dependency sequent (or D-sequent for short). To 
simplify notation, if F and X are obvious from the context, we record the D- 
sequent above as just r — > Z . 

A remarkable fact is that a resolution-like operation called join can be used to 
produce a new D-sequent from two D-sequents derived earlier |8l7j . Suppose, for 
example, that D-sequents {x\ — Q,X2 = 0) — > {xg} and (x2 = l,Xs = 1) — > {xg} 
specify redundancy of variable xg in different branches of variable X2 ■ Then D- 
sequent (xi — 0,x 5 = 1) — > {xg} holds where the left part assignment of this 
D-sequent is obtained by taking the union of the left part assignments of the 
two D-sequents above but those to variable x^- The new D-sequent is said to 
be obtained by joining the two D-sequents above at variable xi- The calculus 
based on the join operation is complete. That is, eventually DS-QSAT derives D- 
sequent —> X stating unconditional redundancy of the variables of X in 3A[F]. 
If by the time the D-sequent above is derived, F contains an empty clause, 
F is unsatisfiable. Otherwise, F is satisfiable. Importantly, if F is satisfiable, 
derivation of D-sequent — > X does not require finding an assignment satisfying 
F. 

DPLL-based SAT-solvers with clause learning can be viewed as a special 
case of DS-QSAT where only a particular kind of D-sequents is used. This limi- 



tation on D-sequents is caused by the necessity to generate a satisfying assign- 
ment as a proof of satisfiability. Importantly this necessity deprives DPLL-based 
SAT-solvers of using transformations preserving equisatisfiability rather than 
functional equivalence. In turn, this adversely affects the performance of SAT- 
solvers. We illustrate this point by comparing the performance of DPLL-likc 
SAT-solvers and a version of DS-QSAT on compositional formulas. This version 
of DS-QSAT use the strategy of lazy backtracking as opposed to that of eager 
backtracking employed by DPLL-based procedures. A compositional CNF for- 
mula has the form Fi(Xi) A ... A Fk(Xk) where Xi n Xj = 0,i ^ j. Subformulas 
Fi,Fj are identical modulo variable renaming/negation. We prove theoretically 
that performance of DS-QSAT is linear in k. On the other hand, one can argue 
that the average performance of DPLL-based SAT-solvers with conflict learning 
should be quadratic in k. In Section [8j we describe experiments confirming our 
theoretical results. 

The contribution of this paper is fourfold. First, we use the machinery of 
D-sequents to explain some problems of DPLL-based SAT-solvers. Second, we 
describe a new QSAT-solver based on D-sequents called DS-QSAT. Third, we 
give a theoretical analysis of the behavior of DS-QSAT on compositional for- 
mulas. Fourth, we show the promise of DS-QSATby comparing its performance 
with that of well-known SAT-solvers on compositional and non-compositional 
formulas. 

This paper is structured as follows. In Section [2] we discuss the complexity 
of QSAT and SAT. Section [3] gives a brief introduction into DS-QSAT. We recall 
D-sequent calculus in Section [4] A detailed description of DS-QSAT is given in 
Section [5] Section [6] gives some theoretical results on performance of DS-QSAT. 
Section [7] describes a modification of DS-QSAT that allows additional pruning 
of the search tree. Experimental results are given in Section[S] We describe some 
background of this research in Section [9] and give conclusions in Section [ToJ 

2 Is QSAT Simpler Than SAT? 

In this section, we make the following point. Both QSAT-solvers and SAT-solvers 
have exponential complexity on the set of all CNF formulas, unless P = NP. 
However, this is not true for subsets of CNF formulas. It is possible that a set 
K of formulas describing, say, properties of a parameterized set of designs can 
be solved in polynomial time by some QSAT-solver while any SAT-solver has 
exponential complexity on K. 

To illustrate the point above, let us consider procedure gensat-assgn shown 
in Figure [IJ It finds an assignment satisfying a CNF formula F (if any) by 
solving a sequence of QSAT problems. First, gensat-assgn calls a QSAT-solver 
solve_qsat to check if F is satisfiable (line 2). If it is, gensat-assgn picks a 
variable v of F (line 5) and calls solve-qsat to find assignment v — val under 
which formula F is satisfiable (lines 6-8). Since F is satisfiable, F v= o and/or F v= i 
has to be satisfiable. Then gensat-assgn fixes variable v at the chosen value val 
and adds (v=val) to assignment s (lines 9-10) that was originally empty. The 



gensat-assgn procedure keeps assigning variables of F in the same manner in 
a loop (lines 5-11) until every variable of F is assigned. At this point, s is a 

The number of QSAT checks performed 
by solve_qsat in gensat-assgn is at most 
n + 1 . So if there is a QSAT-solver solving all 
satisfiable CNF formulas in polynomial time, 
gensat-assgn can use this QSAT-solver in its 
inner loop to find a satisfying assignment for 
any satisfiable formula in polynomial time. 
However, this is not true when considering a 
subset K of all possible CNF formulas. Sup- 
pose there is a QSAT-solver solving the for- 
mulas of K in polynomial time. Let F be a 
formula of K. Let F q denote F under par- 
tial assignment q. The fact that F E K 
does not imply F q G K. So the behavior of 
gensat-assgn using this QSAT-solver in the 
inner loop may actually be even exponential if this QSAT-solver does not perform 
well on formulas F q . 

For example, one can form a subset K of all possible CNF formulas such 
that a) a formula F E K describes a check that a number N is composite and 
b) an assignment satisfying F (if any) specifies two numbers A,B such that 
4/1,5/1 and A x B = N. The satisfiability of formulas in K can be 
checked by a QSAT-solver in polynomial time [14] . At the same time, finding 
satisfying assignments of formulas from K i.e. factorization of composite numbers 
is believed to be hard. For instance, gensat-assgn cannot use the QSAT-solver 
above to find satisfying assignments for formulas of K in polynomial time. The 
reason is that formula F q does not specify a check if a number is composite. 
That is F E K does not imply that F q E K. 

Note that a SAT-solver is also limited in the ways of proving unsatisfiability. 
For a SAT-solver, such a proof is just a failed attempt to build a satisfying 
assignment explicitly. For example, instead of using the polynomial algorithm of 
[14] . a SAT-solver would prove that a number N is prime by failing to find two 
non-trivial factors of N. 

3 Brief comparison of DPLL-based SAT-solvers and 
DS-QSAT in Terms of D-sequents 

In this section, we use the notion of D-sequents to discuss some limitations of 
DPLL-based SAT-solvers. We also explain how DS-QSAT (described in Section[5] 
in detail) overcomes those limitations. 



satisfying assignment of F. 

gen_sat_assgn(F){ 

1 ans — solve _qs at (F); 

2 if (ans=unsat) retum(unsat); 

3 s :=0; X:=Vars(F); 

4 while (X / 0) { 

5 v := pick_var(X); 

6 if (solve_qsat(F v= o) = sat) 

7 vol = 0; 

8 else val = 1; 

9 F . F v — Va i^ 

10 s = s U {(v = val)}; 

11 X:=X\{v};} 

12 return(s); 

Fig. 1. SAT-solving by QSAT 



Example 1. Let SAT_ALG be a DPLL-based SAT-solver with clause learning. 
We assume that the reader is familiar with the basics of such SAT-solvers |15|16j . 



Let F be a CNF formula of 8 clauses where C\ = x\ V 2:3, C2 = 2:2 V 2:3, 
C3 = X! V X2 V X3, C4 = 12 C5 = 5?i V 2:4 V x$, Cq — 14 V15, C7 = 2T4 V 2:5, 

Cg =ii V54V15. The set X of variables of F is equal to {xi, X2, £3, £4, £5}. 

Let SAT_ALG first make assignment xi = 0. This satisfies clauses Ci,C5,C$ 
and removes literal x\ from C3. Let SAT_ALG then make assignment x-i = 
0. Removing literal X2 from C3 and C4 turn them into unit clauses 2:3 and 
X3 respectively. This means that SAT_ALG ran into a conflict. At this point, 
SAT_ALG generates conflict clause Cg = x\ V x 2 that is obtained by resolving 
clauses C3 and C4 on 2:3 and adds Cg to F. After that, SAT_ALG erases as- 
signment xi = and the assignment made by SAT_ALG to 2:3 and runs BCP 
that assigns X2 = 1 to satisfy Cg that is currently unit. In terms of D-sequents, 
one can view generation of conflict clause Cg and adding it to F as deriva- 
tion of D-sequent S equal to (x% — 0,x 2 =0) — > {2:3, 2:4, 2:5}. D-sequent 5 
says that making assignments falsifying clause Cg renders all unassigned vari- 
ables redundant. Note that S is inactive in the subspace (x\ — Q,x 2 = 1) that 
SAT_ALG enters after assigning 1 to S2. (We will say that D-sequent r — > Z is 
active in the subspace specified by partial assignment q if the assignments of 
r are a subset of those of q.) So the variables 2:3,2:4, 2:5 proved redundant in 
subspace (x\ = 0,x 2 = 0) become non-redundant again. 

One may think that reappearance of variables 2:3,2:4,2:5 in subspace (x± = 
0,2:2 = 1) is "inevitable" but this is not so. Variables 2:4,2:5 have at least two 
reasons to be redundant in subspace (xi = 0,x 2 — 0). First, Cg is falsified 
in this subspace. Second, the only clauses of F containing variables 2:4,2:5 are 
C 5 ,C 6 ,C7,C 8 . But C 5 and C s are satisfied by X\ — and C 6 , C7 can be satisfied 
by an assignment to 2:4,2:5. So C$,Cq,Ct,C% can be removed from F in subspace 
xi — without affecting the satisfiability of F. Hence D-sequents Si and 5*2 
equal to (2:1 = 0) — > {2:4} and {x\ — 0) — > {2:5} are true. (In Example[3j we will 
show how S\ and S 2 are derived by DS-QSAT.) Suppose that one replaces the 
D-sequent S above with D-sequents S' , Si, S 2 where S' is equal to {xi — Q,x 2 = 
0) — > {2:3}. Note that only D-sequent S' is inactive in subspace (xi = 0,x 2 — 1). 
So only variable X3 reappears after 2:2 changes its value from to 1 □ 

The example above illustrates the main difference between SAT_ALG and 
DS-QSAT in terms of D-sequents. At every moment, SAT_ALG has at most one 
active D-sequent. This D-sequent is of the form r — > Z where r is an assignment 
falsifying a clause of F and Z is the set of all variables that are currently unas- 
signed. DS-QSAT may have a set of active D-sequents r± Z\ , . . . , rk Zj. 
where Z x U . . . U Z h = Z, Z, n Zj = 0,i ^ j. When SAT.ALG changes the value 
of variable v of Vars(r), all the variables of Z reappear as non-redundant. When 
DS-QSAT changes the value of v, variables of Zi reappear only if v € Vars(ri). 
So only a subset of variables of Z reappear. 

To derive D-sequents Tj — > Zi above, DS-QSAT goes on branching in the 
presence of a conflict. Informally, the goal of such branching is to find alternative 
ways of proving redundancy of variables from Z. So DS-QSAT uses extra branch- 
ing to minimize the number of variables reappearing in the right branch (after 
the left branch has been explored). This should eventually lead to the opposite 
result i.e. to reducing the amount of branching. Looking for alternative ways to 



prove redundancy can be justified as follows. A practical formula F typically can 
be represented as Fi(Xi, Yi) A ... A F/.(Xk, Yj.). Here JQ are internal variables 
of Fi and Yi are "communication" variables that Fi may share with some other 
subformulas Fj, j ^ i. One can view Fi as describing a "design block" with 
external variables Yi. Usually, \Yi\ is much smaller than |Xj|. Let a clause of Fi 
be falsified by the current assignment due to a conflict. Suppose that at the time 
of the conflict all variables of Yj of subformula Fj were assigned and their values 
were specified by assignment yi. Suppose j/j is consistent for Fi i.e. yi can be 
extended by assignments to Xi to satisfy Fi. This means that the variables of Xi 
are redundant in subspace yi in 3V[.F] where V = Vars(F). Then by branching 
on variables of Xj one can derive D-sequent yi — >• Xi . If yi is inconsistent for 
Fi , then by branching on variables of Xi one can derive a clause C falsified by 
yi. Adding C to F makes the variables of X t redundant in 3V[.F] in subspace 
yi. So the existence of many ways to prove variable redundancy is essentially 
implied by the fact that formula F has structure. 

The possibility to control the size of right branches gives an algorithm a lot 
of power. Suppose, for example, that an algorithm guarantees that the number 
of variables reappearing in the right branch is bounded by a constant d. We 
assume that this applies to the right branch going out of any node of the search 
tree, including the root node. Then the size of the search tree built by such an 
algorithm is 0(|A| • 2 d ). Here \X\ is the maximum depth of a search tree built 
by branching on variables of X and 2 d is the number of nodes in a full binary 
sub-tree over d variables. So the factor 2 d limits the size of the right branch. 
The complexity of an algorithm building such a search tree is linear in F. In 
Section |6j we show that bounding the size of right branches by a constant is 
exactly the reason why the complexity of DS-QSAT on compositional formulas 
is linear in the number of subformulas. 

The limitation of D-sequents available to SAT_ALG is consistent with the 
necessity to produce a satisfying assignment. Although such limitation cripples 
the ability of an algorithm to compute the parts of the formula that are re- 
dundant in the current subspace, it does not matter much for SAT_ALG. The 
latter simply cannot use this redundancy because it is formulated with respect 
to formula 3X[F] rather than F. Hence, discarding the clauses containing re- 
dundant variables preserves equisatisfiability rather than functional equivalence. 
So, an algorithm using such transformations cannot guarantee that a satisfying 
assignment it found is correct. 



4 D-sequent Calculus 



In this section, we recall the D-sequent calculus introduced |8I7) . In Subsec- 
tions 4.1 and 4.2 we give basic definitions and describe simple cases of variable 
redundancy. The notion of D-sequents is introduced in Subsection |4.3| Finally, 
the operation of joining D-sequents is presented in Subsection |4.4| 



4.1 Basic definitions 



Definition 1. A literal of a Boolean variable v is v itself and its negation. A 
clause is a disjunction of literals. A formula F represented as a conjunction 
of clauses is said to be the Conjunctive Normal Form ( CNF) of F . A CNF 
formula F is also viewed as a set of clauses. Let q be an assignment, F be a 
CNF formula, and C be a clause. Vars(q) denotes the variables assigned in q; 
Vars(F) denotes the set of variables of F; Vars(C) denotes the set of variables 
ofC. 

Definition 2. Let q be an assignment. Clause C is satisfied by q if a literal of 
C is set to 1 by q. Otherwise, C is falsified by q. Assignment q satisfies F if 

q satisfies every clause of F. 

Definition 3. Let F be a CNF formula and q be a partial assignment to vari- 
ables of F. Denote by F q that is obtained from F by a) removing all clauses of 
F satisfied by q; b) removing the literals set to by q from the clauses that are 
not satisfied by q. Notice, that if q=%, then F q = F. 

Definition 4. Let F be a CNF formula and Z be a subset of Vars(F). Denote 
by F z the set of all clauses of F containing at least one variable of Z. 

Definition 5. The variables of Z are redundant in formula 3X[F] if 3X[F] 
= 3X[F\F Z }. We note that since F\F Z does not contain any Z variables, we 
could have written 3(X \ Z)[F\ F z \. To simplify notation, we avoid explicitly 
using this optimization in the rest of the paper. 

Definition 6. Let qi and q% be assignments. The expression q 1 < q 2 denotes 
the fact that Vars(qi) C Vars{q?) and each variable of Vars(qi) has the same 
value in qi and q 2 ■ 

4.2 Simple cases of variable redundancy 

There at least two cases where proving that a variable of F is redundant in 
3X[F] is easy. The first case concerns monotone variables of F. A variable v 
of F is called monotone if all clauses of F containing v have only positive (or 
only negative) literal of v . A monotone variable v is redundant in 3A[i 7 '] because 
removing the clauses with v from F does not change the satisfiability of F. The 
second case concerns the presence of an empty clause. If F contains such a clause, 
every variable of F is redundant. 

4.3 D-sequents 

Definition 7. Let F(X) be a CNF formula. Let q be an assignment to X and 
Z be a subset of X \ Vars(q). A dependency sequent (D-sequent) has the form 
(3X[F],q) — > Z. It states that the variables of Z are redundant in 3X[F q ]. If 
formula F for which a D-sequent holds is obvious from the context we will write 
this D-sequent in a short notation: q — > Z. 



Example 2. Let F be a CNF formula of four clauses: C\ — x\ V X2, C2 = x\ V X2, 
C3 = X\ V X3, C4 = X2 V X3. Notice that since clause C\ is satisfied in subspace 
(x 2 = 1), variable Xi is monotone in formula F X2 —\. So D-sequent (x-2 — 1) — > 
{xi} holds. On the other hand, the assignment r = {x\ — l,x% — 0) falsifies 
clause C3. So variable X2 is redundant in F r and D-sequent r — > {^2} holds. 

4.4 Join Operation for D-sequents 

Proposition 1 (|8j). LetF(X) be a CNF formula. Let D-sequents r' — > Z and 
r" — > Z hold, where Z C X. Let r' , r" have different values for exactly one 
variable v G Vars(r') (1 Vars(r"). Let r consist of all assignments of r' ,r" but 
those to v. Then, D-sequent r — > Z holds too. 

We will say that the D-sequent r —> Z of Proposition [T] is obtained by 
joining D-sequents r' — > Z and r" —> Z at variable v. The join operation 
is complete [817] . That is eventually, D-sequent — > X is derived proving that 
the variables of the current formula F are redundant. If F contains an empty 
clause, then F is unsatisfiable. Otherwise, it is unsatisfiable. 

An obvious difference between the D-sequent calculus and resolution is that 
the former can handle both satisfiable and unsatisfiable formulas. This limitation 
of resolution is due to the fact that it operates on subspaces where formula F is 
unsatisfiable. One can interpret resolving clauses C, C" to produce clause C as 
using the Boolean cubes K' ,K" where C and C" are unsatisfiable to produce 
a new Boolean cube K where the resolvent C is unsatisfiable. On the contrary, 
the join operation can be performed over parts of the search space where F 
may be satisfiable. When D-sequents r' — > Z and r" — > Z are joined, it does 
not matter whether formulas F r > and F r » are satisfiable. The only thing that 
matters is that variables Z are redundant in F r > and F r " . 

4.5 Virtual redundancy 

Let F{X) be a CNF formula and r be an assignment to X. Let Z C X and 
Vars(r) n Z = 0. The fact that variables of Z are redundant in F, in general, 
does not mean that they are redundant in F r . Suppose, for example, that F 
is satisfiable, F r is unsatisfiable, F does not have a clause falsified by r and 
Z — Vars(F) \ Vars(r). Then formula F r \ (F r ) z has no clauses and so is 
satisfiable. Hence 3X[F r ] 7^ 3X[F r \ (F r ) z ] and so the variables of Z are not 
redundant in F r . On the other hand, since F is satisfiable, the variables of Z are 
redundant in 3X[F]. 

We will say that the variables of Z are virtually redundant in F r where 
Z n Vars(r) = if either a) 3X[F r ] = 3X[F r \ (F r ) z ] or b) 3X[F r ] ^ 3X[F r \ 
(F r ) z ] and F is satisfiable. In other words, if variables Z are virtually redundant 
in BX^,,], removing the clauses with a variable of Z from F r may be wrong but 
only locally. From the global point of view this mistake does not matter because 
it occurs only when F is satisfiable. 



We need a new notion of redundancy because the join operation introduced 
above preserves virtual redundancy [5] rather than redundancy in terms of Defi- 
nition]^] Suppose, for example, that the variables of Z are redundant in F ri and 
F r2 in terms of Definition [5] and so D-sequents r± — > Z and r-z — > Z hold. Let 
r — > Z be the D-sequent obtained by joining the D-scqucnts above. Then one 
can guarantee only that the variables of Z are virtually redundant in F r . For 
that reason we need to replace the notion of redundancy by Definition [5] with 
that of virtually redundancy. In the future explanation, we will omit the word 
"virtually" . That is when we say that variables of Z are redundant in F r we 
actually mean that they are virtually redundant in F r . 

5 Description of DS-QSAT 

In this section, we describe DS-QSAT, a QSAT-solver based on the machinery 
of D-sequents. 

5.1 High-level view 

Pseudocode of DS-QSAT is given in Figure[2| DS-QSAT accepts a CNF formula 
F, a partial assignment q to X where X = Vars(F), and a set of active D- 
sequents fl stating redundancy of some variables from X \ Vars(q) in subspace 
q. DS-QSAT returns CNF formula F that consists of the clauses of the initial 
formula plus some resolvent clauses and a set fl of D-sequents stating redundancy 
of every variable of X \ Vars(q) in subspace q. To check satisfiability of a CNF 
formula, one needs to call DS-QSAT with q = 0, fl = 0. 

DS-QSAT is a branching procedure. If DS-QSAT cannot prove redundancy 
of some variables in the current subspace, it picks one of such variables v and 
branches on it. So DS-QSAT builds a binary search tree where a node corre- 
sponds to a branching variable. We will refer to the first (respectively second) 
assignment to v as the left (respectively right) branch of v. Although Boolean 
Constraint Propagation (BCP) is not explicitly mentioned in Figure [2j it is in- 
cluded into the pick-variable procedure as follows. Let q be the current partial 
assignment. Then a) preference is given to branching on variables of unit clauses 
of F q (if any); b) if v is a variable of a unit clause of C of F q and v is picked for 
branching, then the value satisfying C is assigned first. 

As soon as a variable v is proved redundant in the current subspace q, a 
D-sequent r — > {v} is recorded where r is a subset of assignments of q. All the 
clauses of F containing variable v are marked as redundant and ignored until v 
becomes non-redundant again. This happens when a variable of Vars(r) changes 
its value making the D-sequent r — > {v} inactive in the current subspace. 

As we mentioned in Section [3j if a clause C containing a variable v is falsified 
after an assignment is made to v, DS-QSAT keeps making assignments to unas- 
signed non-redundant variables. However, this happens only in the left branch 
of v. If C is falsified in the right branch of v, DS-QSAT backtracks. A unit clause 
C gets falsified in the left branch only when DS-QSAT tries to satisfy another 



unit clause C" such that C and C" have the opposite literals of a variable v. 
We will refer to the node of the search tree corresponding to v as a conflict one. 
The number of conflict nodes DS-QSAT may have is not limited. 



// F is a CNF formula 

// q is an assignment to Vars(F) 

II J? is a set of active D-sequents 

DS-QSAT(F ,q,n){ 
l if (empty _clause(F)) 
exit (tins at); 
if (newjalsif _clause(C, F, q)) 
if (left_branch(q)) 

0:=update_Dseqs(n , F, C); 
else { 

f2~finish_Dseqs(Q, F, C); 
return(i ? , fl)\ } 
SI := monot_vars_Dseqs(S2, F, q); 
if (all_vars-assgn-Or_redund(n,q); 
if (no-falsif _clauses(F, q)) 

exit(sat); 
else return(_F, !?); 
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u := pick_variable(F, q, S7); 
qr =g U {(« = 0)}; 
(F,J? ) <- DS-QSAT '(F,n,qo); 
(S2 sym , S2 asym ) = splU(O ,v); 
if (rr s « m = 0) returnfT, fl ); 
recover _vars -clauses(F, S2 asym ): 
qi=q U {(« = 1)}; 



DS-QSAT consists of three parts. In 
Figure [2j they are separated by dashed 
lines. In the first part, described in 
Subsections 15.31 and 15.41 in more de- 
tail, DS-QSAT checks for termination 
conditions and builds D-sequents for 
variables whose redundancy is obvious. 
In the second part (Subsection 5.5), 
DS-QSAT picks an unassigned non- 
redundant variable v and splits the cur- 
rent subspace into subspaces v = and 
v = 1. Finally, DS-QSAT merges the 
results of branches v = and v = 1 
(Subsection 5.6). 

5.2 Eager and lazy backtracking 
(DPLL as a special case of 
DS-QSAT) 



20 
21 



(F,n-i) «- DS-QSAT (F,0 3ym , qi ) 

(F, SI) <— merge(F, v, q, Slo, fi\)\ 
return(F, O);} 

Fig. 2. DS-QSAT procedure 



Let q be the current partial assignment 
to variables of X and variable v be the 
variable assigned in q most recently. Let 
v be assigned a first value (left branch). 
Let C be a clause of F falsified after v 
is assigned in q. In this case, procedure 
update.Dseqs of DS-QSAT (line 4 of 
Figure [2]), derives a D-sequent r Z' . 
Here r is the smallest subset of assign- 
ments of q falsifying C and Z' is a sub- 
set of the current set Z of the unas- 
signed, non-redundant variables. 
The version where Z 1 — i.e. where no D-sequent r — > Z' is derived by 
update-Dseqs will be called DS-QSAT with lazy backtracking. In our theoretical 
and experimental evaluation of DS-QSAT given in Sections [6] and [8] we used 
the version with lazy backtracking. The version of DS-QSAT where Z' is always 
equal to Z will be referred to as DS-QSAT with eager backtracking. DPLL is a 
special case of DS-QSAT where the latter employs eager backtracking. In this 
case, all unassigned variables are declared redundant and DS-QSAT immediately 
backtracks without trying to prove redundancy of variables of Z in some other 
ways. 



5.3 Termination conditions 



// q =qU{(v = 0)}; qi=qli{(v = 1)}; 
// Co = nil, Ci = niZ if no clause of F 
//is falsified by go,<7i respectively 

merge(F, v, q, Qq, Oi){ 

1 for (w € ( Vars(F) \ ( Vars(q) Ut))){ 

2 if (symmetric _in_v(Q\, w)) 

continue; 

3 So = extract_Dseq(Q(,,w); 

4 Si = extract _Dseq(Q\,w); 

5 S = join(Sa, Si,v); 

6 flj = (« 1 U{S})\{S 1 } ;} 



7 Co = pick_falsif_clause(F,q ); 

8 Ci = pick_falsif_clause(F,q 1 ); 

9 if ((Co / nil) and (Ci / niZ)) { 

10 C — resolve(Co,Ci,v); 

11 F = FU{C}; 

12 J?i = OiU{falsif _clause_Dseq(C,v)}; 

13 else 

14 J?i = QiU{monot_var_Dseq(F, v, q)}; 

15 return(i ? , S!i); } 

Fig. 3. merge procedure 



DS-QSAT reports unsatisfiability if 
the current formula F contains an 
empty clause (line 1 of Figure [2]). 
DS-QSAT reports satisfiability if no 
clause of F is falsified by the current 
assignment q and every variable of 
F is either assigned in q or proved 
redundant in subspace q (line 10). 
Note that DS-QSAT uses slight op- 
timization here by terminating be- 
fore the D-sequent — >• X is derived 
stating unconditional redundancy of 
variables of X in 3A[F]. 

If no termination condition is 
met but every variable of F is as- 
signed or proved redundant, DS- 
QSAT ends the current call and re- 
turns F and fl (lines 7,11). In con- 
trast to operator return, the opera- 
tor exit used in lines 1,10 eliminates 
the entire stack of nested calls of 
DS-QSAT. 

5.4 Derivation of atomic 



D-sequents 

Henceforth, for simplicity, we will assume that DS-QSAT derives D-sequents 
of the form r — V {v} i.e. for single variables. A D-sequcnt r — > Z is then 
represented as \Z\ different D-sequents r — > {v} , v e Z. 

In the two cases below, variable redundancy is obvious. Then DS-QSAT de- 
rives D-sequents we will call atomic. The first case, is when clause of F is falsified 
by the current assignment q. This kind of D-sequents is derived by procedures 
update-Dseqs (line 4) and finish_Dseqs (line 6). Let v be the variable assigned in 
q most recently. Let C be a clause of F falsified after the current assignment to 
v is made. If v is assigned a first value (left branch), then, as we mentioned in 
Subsection |5.2[ for some unassigned variables w\ , . . . , w m that are not proved 
redundant yet, one can build D-sequents r — > {wj ,...,r — > w m . Here r is the 
shortest assignment falsifying C. So update-Dseqs may leave some unassigned 
variables non-redundant. On the contrary, finish_Dseqs is called in the right 
branch of v. In this case, for every unassigned variable Wi that is not proved 
redundant yet, D-sequent r — > {wi} is generated. So on exit from finish-Dseqs, 
every variable of F is either assigned or proved redundant. 

D-sequents of monotonic variables are the second case of atomic D-sequents. 
They are generated by procedure monot-vars-Dseqs (line 8) and by procedure 
monotjvar_Dseq called when DS-QSAT merges results of branches (line 14 of Fig- 
ure p|. Let q be the current partial assignment and v be a monotone unassigned 



variable of F. Assume for the sake of clarity, that only clauses with positive 
polarity of v are present in F q . This means that every clause of F with literal v 
is either satisfied by q or contains a variable w proved redundant in F q . Then 
DS-QSAT generates D-sequent r — > {v} where r is formed from assignments 
of q as follows. For every clause C of F with literal v assignment r a) contains 
an assignment satisfying C or b) contains all the assignments of s such that 
D-sequent s — > {w} is active and to is a variable of C. Informally r contains a 
set of assignments under which variable v becomes monotone. 

5.5 Branching in DS-QSAT 

When DS-QSAT cannot prove redundancy of some unassigned variables in the 
current subspace q, it picks a non-redundant variable v for branching (line 12 
of Figure [2]). First, DS-QSAT calls itself with assignment q = q U {(v = 0)}. 
(Figure [2] shows the case when assignment v — is explored in the left branch 
but obviously the assignment v — 1 can be explored before v — 0.) Then DS- 
QSAT partitions the returned set of D-sequents fi into Q sym and Q as y m . 

The set (l sym consists of the D-sequents r — > {w} of Qq such that v $ 
Vars(r). The D-sequents of f2 sym remain active in the branch v = 1. The set 
Qasym cons i s t s f the D-sequents r — > {w} such that r contains assignment (v = 
0). The D-sequents of Q as y m are inactive in the subspace v = 1 and the variables 
whose redundancy is stated by those D-sequents reappear in the right branch. 
If [2 as v m = ; there is no reason to explore the right branch. So, DS-QSAT just 
returns the set of D-sequents f2$ (line 16). Otherwise, DS-QSAT recovers the 
variables and clauses that were marked redundant after D-sequents from f2 as v m 
were derived (line 17) and calls itself with partial assignment q± — qii{(v = 1)}. 

5.6 Merging results of branches 

After both branches of variable v has been explored, DS-QSAT merges the results 
by calling the merge procedure (line 20). The pseudocode of merge is shown in 
Figure [3] DS-QSAT backtracks only when every unassigned variable is proved 
redundant in the current subspace. The objective of merge is to maintain this 
invariant by a) replacing the currently D-sequents that depend on the branching 
variable v with those that are symmetric in v; b) building a D-sequent for the 
branching variable v itself. 

The merge procedure consists of two parts separated in Figure[3]by the dotted 
line. In the first part, merge builds D-sequents for the variables of X\ ( Vars(q) U 
{v}). In the second part, it builds a D-sequent for the branching variable. In the 
first part, merge iterates over variables X \ ( Vars(q) U {v}). Let w be a variable 
of X \ ( Vars(q) U {v}). If the current D-sequent for w (i.e. the D-sequent for w 
from the set fl\ returned in the right branch) is symmetric in v, then there is no 
need to build a new D-sequent (line 2). Otherwise, a new D-sequent S for w that 
does not depend on v is generated as follows. Let and Si be the D-sequents 
for variable w contained in Qq and Q\ respectively (lines 3,4). That is So and 



S\ were generated for variable w in branches v — and v = 1. Then D-sequent 
5 is produced by joining 5 and Si at variable v (line 5). 

Generation of a D-scqucnt for 
the variable v itself depends on 
whether node v (i.e the node of the 
search tree corresponding to v) is a 
conflict one. If so, F contains clauses 
Co and C\ that have variable v and 
are falsified by <7o and q\ respec- 
tively. In this case, to make variable 
v redundant merge generates the re- 
solvent C of Co and C\ on variable 
v and adds C to F (lines 10,11). 
Then D-sequent r — > {v} is gener- 
ated where r is the shortest assign- 
ment falsifying clause C (line 12). 

If node v is not a conflict one, 
this means that clause Co and/or 
clause Ci does not exist. Suppose, 
for example, that no clause Co con- 
taining variable v is falsified by qo- 
This means that every clause F with the positive literal of v is either satisfied 
by q or contains a variable redundant in subspace q. In other words, v is mono- 
tone in F q after removing the clauses with redundant variables. Then an atomic 




Fig. 4. Search tree built by DS-QSAT 



D-sequent is generated by merge (line 14) as described in Subsection 5.4 



Example 3. Here we show how DS-QSAT with lazy backtracking operates when 
solving the CNF formula F introduced in Example [T] Formula F consists of 
8 clauses: C\ — X\ V C2 = 12 V 13, C3 = X\ V x 2 V X3, C4 = x 2 V X3, 
C5 = X\ V Xi V X5, Cq = 14 V 3?5, C7 = 5J4 V X5, Cs = xi V X4 V X5. Figure [4] 
shows the search tree built by DS-QSAT. The ovals specify the branching nodes 
labeled by the corresponding branching variables. The label or 1 on the edge 
connecting two nodes specifies the value made to the variable of the higher node. 
The rectangles specify the leaves of the search tree. The rectangle SAT specifies 
the leaf where DS-QSAT reported that F is satisfiable. 

Every edge of the search tree labeled with value (respectively 1) also shows 
the set of D-sequents J?o (respectively Q\) derived when the assignment corre- 
sponding to this edge was made. The D-sequents produced by DS-QSAT are 
denoted in Figure [4] as S\ , . . . , S5 . The values of S\ , . . . , S5 are given in Fig- 
ure [5J When representing i? and we use the symbol '| ' to separate D- 
sequents derived before and after a call of DS-QSAT. Consider for example, the 
set J?o = {15*3, 5*4, S5} on the path x\ = 0, x 2 — 0. The set of D-sequents listed 
before ' | ' is empty in Qq. This means that no D-sequents had been derived when 
DS-QSAT was called with q = (x\ = 0, x 2 = 0). On the exit of this invocation 
of DS-QSAT, D-sequents S3, S4, $5 were derived. We use ellipsis after symbol 



'I' for the calls of DS-QSAT that were not finished by the time F was proved 
satisfiable. 

Below, we use Figures [4] and [5] to illustrate various aspects of the work of 
DS-QSAT. 

Leaf nodes correspond to subspaces where every variable is either assigned 
or proved redundant. For example, the node on the path (x% — 0, X2 — 0, 2:3 — 
0, X4 = 0) is a leaf because x±,X2,%3, xi are assigned and 2:5 is proved redundant. 

Atomic D-sequents. D-sequents S±, S2, S4, S5 are atomic. For example, the 
D-sequent Si is derived in subspace x\ — 0,2:2 = 0,2:3 = 0,2:4 = due to 
X5 becoming monotone. Si is equal to (xi = 0,0:4 = 0) — > {s§} because only 
assignments X\ — 0, 2:4 = are responsible for the fact that 2:5 is monotone. 

Branching in the 'presence of a conflict. On the path x\ = 0, X2 = 0, clauses 
C3 and C4 turned into unit clauses X3 and 2:3 respectively. So no matter how 
first assignment to 2:3 was made, one of these two clauses would get falsified. 
DS-QSAT made first assignment 2:3 = and falsified clause C3. Since this was 
the left branch of X3, DS-QSAT proceeded further to branch on variable £4. 

Merging results of branches. When branching on variable X4, DS-QSAT de- 
rived sets f2o = {Si} an d ^1 = {S2} where Si is equal to (xi = 0,2:4 = 0) — » 
{2:5} and S2 is equal to (xi = 0, X4 = 1) — > {25}. DS-QSAT merged the results 
of branching by joining Si and S2 at the branching variable X4. The resulting 
D-sequent S3 equal to (xi — 0) — > {2:5} does not depend on X4. 

D-sequents for branching variables. DS-QSAT generated D-sequents for branch- 
ing variables x^ and X3. Variable xi was monotone in subspace Xi =0,2:2 = 
0,2:3 = because the clauses C§,Cq containing the positive literal of 2:4 were 
not present in this subspace. C5 was satisfied by assignment xi — while Cq 
contained variable 2:5 whose redundancy was stated by D-sequent S3 equal to 
(xi = 0) — > {2:5}. So the D-sequent S4 equal to (xi = 0) — > {2:4} was derived. 

Variable 2:3 was not monotone in subspace q — (xi = 0, 2:2 = 0) because, in 
this subspace, clauses C3 and C4 turned into unit clauses 2:3 and 2:3 respectively. 
So first, DS-QSAT made variable 2:3 redundant by adding to F clause Cg = 
Xi V X2 obtained by resolution of C3 and C4 on 2:3. Note that Cg is falsified 
in subspace q. So the D-sequent S 5 equal to (xi = 0,x 2 — 0) — > {2:3} was 
generated. 

Reduction of the size of right branches. In the left branch of node X2, the 
set of D-sequcnts J?o = {S3,S4,Ss} was derived. D-sequent S5 equal to (xi = 
0,2:2 = 0) — > {2:3} is not symmetric in 2; 2 (i.e. depends on x%). On the other 
hand, S3 and S3 stating redundancy of 2:4 and 2:5 are symmetric in x%. So only 
D-sequent S5 was inactive in the right branch 2:2 = 1 . So only variable 2:3 
reappeared in this branch while 2:4,2:5 remain redundant. 

Termination. In subspace q — (xi — 0,2:2 = 1,2:3 = 1), every variable of 
F was assigned or redundant and no clause of F was falsified by q. So DS- 
QSAT terminated reporting that F was satisfiable. 



5.7 Correctness of DS-QSAT 
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>5 : (xi = 0,x 2 = 0) -> {x 3 } 



Fig. 5. D-sequents of Figure [4] 



'1 : (an = 0,24 = 0) -> {x 5 } 
'2 : (xi = 0,a;4 = 1) -> {£5} 
'3 : (an = 0) -> {cc 5 } 



(an = 0) {x 4 } 



The proof of correctness of DS-QSAT can 
be performed by induction on the number 
of derived D-sequents. Since such a proof is 
very similar to the proof of correctness of 
the quantifier elimination algorithm we gave 
in [8j, we omit it here. Below we just list 
the facts on which this proof of correctness 
is based. 



• DS-QSAT derives correct atomic D-sequents. 

• D-sequents obtained by the join operation are correct. 

• DS-QSAT correctly reports satisfiability when every clause is either satisfied 
or proved redundant in the current subspace because D-sequents stating 
redundancy of variables are correct. 

• New clauses added to the current formula are obtained by resolution and so 
are correct. So DS-QSAT correctly reports unsatisfiability when an empty 
clause is derived. 

6 DS-QSAT on Compositional Formulas 

In this section, we consider the performance of DS-QSAT on compositional for- 
mulas. We will say that a satisfiability checking algorithm is compositional 
if its complexity is linear in the number of subformulas forming a compositional 
formula. We prove that DS-QSAT with lazy backtracking is compositional and 
argue that DPLL-based SAT-solvers are not. 

We say that a formula F(X) is compositional if it can be represented 
as F 1 (X 1 ) A ... A F k (X k ) where 1,(1^ = 8,i ^ j. The motivation for our 
interest in such formulas is as follows. As we mentioned in Section [3j a practical 
formula F typically can be represented as F\ (X\ , Y\ ) A . . . A Fk (Xk , Y k ) where Xi 
are internal variables of F% and Yi are communication variables. One can view 
compositional formulas as a degenerate case where |Yi| = 0, i = 1, . . . k and so 
Fi do not talk to each other. Intuitively, an algorithm that does not scale well 
even when =0 will not scale well when [Y\ > 0. 

From now on, we narrow down the definition of compositional for- 
mulas as follows. We will call formula Fi(Xi) A ... A Fk(Xk) compositional if 
Xi fl Xj = 0, i ^ j and all subformulas Fi, i — 1, . . . , k are equivalent modulo 
variable renaming/negation. That is Fj can be obtained from Fi by renaming 
some variables of Fi and then negating some variables of the result of variable 
renaming. 

Proposition 2. Let F(X) — Fi(Xi) A . . . AFk(Xk) be a compositional formula. 
Let T be the search tree built by DS-QSAT with lazy backtracking when checking 
the satisfiability of F. The size of T is linear in k no matter how decision vari- 
ables are chosen. (A variable v £ X is a decision one if no clause of F that is 
unit in the current subspace contains v.) 



Proof. We will call a D-sequent r — > {v} limited to subformula Fi if ( Vars(r)U 
{v}) C Vars(Fj). The idea of the proof is to show that every D-sequent derived 
by DS-QSAT is limited to a subformula Fi. Then the size of T is limited by 
\X\ ■ 2 d where d = \ Vars(Fi)\ = . . . = \ Vars{F k )\. Indeed, when DS-QSAT flips 
the value of a variable v, only variables whose D-sequents depend on v reappear 
in the right branch of v. Since all D-sequents derived by DS-QSAT are limited 
to a subformula, the D-sequents depending on v are limited to subformula Fi 
such that v € Vars(Fi). This means that the number of variables that reappear 
in the right branch is limited by d. So the number of nodes of a right branch of 
T cannot be larger than 2 d . Hence the size of T cannot be larger than \X\ ■ 2 d 
where \X\ is the maximum possible depth of T . 

Now let us prove that every D-sequent derived by DS-QSAT is indeed lim- 
ited to a subformula Fi. Since subformulas Fi,Fj, i ^ j do not share variables, 
for any non-empty resolvent clause C, it is true that Vars(C) C Vars(Fi) for 
some i. Then any atomic D-sequent built for a monotone variable v (see Subsec- 
tion 5.4) is limited to the formula Fi such that v £ Vars(Fi). DS-QSAT builds 



an atomic D-sequent of another type when a clause C produced by resolution 
on branching variable v is falsified in the current subspace. This D-sequent 
has the form r — > {v} where r is the shortest assignment falsifying C . Since 
(Vars(C) U {v}) C Vars(Fi) where Fi is the subformula containing v, such a 
D-sequent is limited to Fi- Finally, a D-sequent obtained by joining D-sequents 
limited to Fi is limited to Fi □ 



Let SAT_ALG be a DPLL-based algorithm with clause learning. SAT_ALG can- 
not solve compositional formulas F± A . . . A F k in the time linear in k for an arbi- 
trary choice of decision variables. Since every resolvent clause can have only vari- 
ables of one subformula F{ , the total number of clauses generated by SAT_ALG is 
linear in k. However, the time SAT_ALG has to spend to derive one clause is 
also linear k. When a conflict occurs, SAT_ALG backtracks to the decision level 
that is relevant to the conflict and is the closest to the conflict level. In the worst 
case, SAT_ALG has to undo assignments of all k subformulas. So in the worst 
case, the complexity of SAT_ALG is quadratic in k. 

Notice that the DP procedure is compositional because clauses of different 
subformulas cannot be resolved with each other. However, as we mentioned in 
the introduction, this procedure is limited to one global variable order in which 
variables are eliminated. This limitation is the main reason why the DP proce- 
dure is outperformed by DPLL-based solvers. On the contrary, DS-QSAT is a 
branching algorithm that can use different variable orders in different branches 
(and DPLL-based SAT-solvers are a special case of DS-QSAT). So the machin- 
ery of D-sequents allows one to enjoy the flexibility of branching still preserving 
the compositionality of the algorithm. 



7 Skipping Right Branches 



DS-QSAT{F,q,Q){ 



16 

16.1 

16.2 

16.3 

16.4 

16.5 

17 

21 



if (n aaym = 0) return(F, J2 ); 
if ( decision -var(qo,v, F)) 

if (no-new_falsif -dause(qo, F)){ 

S := branch_var_Dseq(F,v,q); 

fl:= recomp-Dseqs(f2o, S, qo, F): 

return(F, QU{S}); } 
recover _vars -clauses (F, O asym ); 



In this section, we describe an opti- 
mization technique that can be used 
for additional pruning the search 
tree built by DS-QSAT. We will re- 
fer to this technique as SRB (Skip- 
ping Right Branches). The essence of 
SRB is that in some situations, DS- 
QSAT can use the D-sequents pro- 
duced in the left branch of a variable 
v to build D-sequents that do not de- 
pend on v without exploration of the 
right branch of v. 
Subsection |7.1| gives pseudocode of the 



return(_F, Q)\} 
Fig. 6. modified DS-QSAT procedure 

This section is structured as follows, 
modification of DS-QSAT with SRB. Generation of D-sequents that do not de- 
pend on the current branching variable is explained in Subsection 7.2 Some 
notions introduced in [8] are recalled in Subsection 7.3 These notions are used 
in Subsection |7.4| to prove that the D-sequents derived by the modified part of 
DS-QSAT are correct. 



7.1 Modified DS-QSAT 

The modification of DS-QSAT due to adding the SRB technique is shown in 
Figure [6] (lines 16.1-16.5). SRB works as follows. Suppose that DS-QSAT has 
backtracked from the the left branch of v. Let q be the set of assignments made 
by DS-QSAT before variable v. We will follow the assumption of Figure [2| that 
the first value assigned to v is 0. In such a case, DS-QSAT of Figure [2] just 
explores the right branch v = 1 (line 19). The essence of DS-QSAT with SRB 
is that if a condition described below is satisfied, the right branch is skipped. 
Instead, DS-QSAT does the following. First, it builds a correct D-sequent of the 
branching variable v depending only on assignments to q (line 16.3). Then, every 
D-sequent r — > {w} of H where r contains assignment (v = 0) is recomputed 
(line 16.4). 

Let qo denote assignment q extended by (v = 0). The condition under which 
the SRB technique is applicable is that no clause of F having literal v (i.e. the 
positive literal of variable v) is falsified by qo. This means that every clause with 
literal v is either satisfied by q or has a variable that is redundant in subspace 
qo. This condition is checked on line 16.2. 

The SRB technique is used in the modification of DS-QSAT shown in Figure|6] 
only if v is a decision variable (line 16.1). The reason is as follows. Suppose that 
this is not the case, i.e. v is in a unit clause C of F q . In this case, in the left 
branch (respectively right branch), DS-QSAT assigns v the value that satisfies C 
(respectively falsifies C). But since DS-QSAT immediately backtracks if a new 
clause gets falsified in the right branch, pruning the left branch in this case does 
not save any work. 



7.2 D-sequents generated by modified DS-QSAT 

Let F(X) be a CNF formula. Let q be a partial assignment to variables of X. 
Let v be a variable of X \ Vars(q). Let go denote the assignment q U {(w = 0)}. 
Let J?o be a set of D-sequents active in the subspace specified by qo- Let every 
clause of F that has literal v is either satisfied by q or has a variable whose 
redundancy is stated by a D-sequcnt of S7q. 

The procedure branch_var_Dseq of Figure[6]generates D-sequent r — > {v} such 
that for every clause C containing literal v 

• C is satisfied by r or 

• C contains a variable w whose redundancy is stated by a D-sequcnt s — » {w} of 
f2 and s<(rU{(»= 0)}. 

The procedure recomp-Dseqs of Figure [6] works as follows. For every D- 
sequent e — > {u;} of J7 n such that e contains assignment (v = 0), recomp_Dseqs 
generates a D-sequent e' — > {w} . The assignment e! is obtained from e by re- 
placing assignment (v = 0) with the assignments of r of the D-sequent r — > {u} gen- 
erated for the branching variable v. 



7.3 Recalling some notions 

In this subsection, we recall some notions introduced in [8] that are used in 



the proofs of Subsection 7.4 Let F(X) be a CNF formula. We will refer to a 
complete assignment to variables of X as a point. A point p is called a Z- 
boundary point of F if 

• p falsifies F 

• every clause of F falsified by p contains a variable of Z 

• Z is minimal i.e. no proper subset of Z satisfies the property above 

A Z-boundary point p is called Y"-removable in F where Z C Y C X if p 
cannot be turned into an assignment satisfying F by changing values of variables 
of Y . If a Z-boundary point is K-removable, then one can produce a clause C 
that is a) falsified by p; b) implied by F and c) does not have any variables of 
Z. After adding C to F, p is not a Z-boundary point anymore, hence the name 
removable. 

We will call a F-removable point just removable if Y — X. It is not hard 
to see, that every Z-boundary point of a satisfiable (respectively unsatisfiable) 
formula F is unremovable (respectively removable). 

Proposition 3. Let F(X) be a CNF formula and q be a partial assignment to 
variables of X. A set of variables Z is not redundant in 3X[F] in subspace q, if 
and only if there is a Z -boundary point of F q that is removable in F. 



The proof of this proposition is given in [8] . 



7.4 Correctness of D-sequents generated by modified DS-QSAT 



Proposition 4. The D-sequent generated by procedure branchjvar_Dseq of Fig- 
ure [6] described in Subsection \7.S\ is correct. 

Proof. Assume the contrary i.e. D-sequent r — > {v} does not hold. From Propo- 
sition^ it follows that there is a {u}-boundary point p such that r < p. This also 
means that F is unsatisfiable. Indeed, if J 1 is a satisfiable, then every variable of 
F is already redundant and so any D-sequent holds r — > {v} . 

Let us assume that v is equal to in p. If v equals 1 in p, one can always 
flip the value of v obtaining the point that is either a {i>}-boundary point or a 
satisfying assignment (Lemma 1 of 8 ). Since the assumption we made implies 
that F is unsatisfiable, flipping the value of v produces a {v}-boundary point. 

Let G be the set clauses falsified by point p. Let C be a clause of G. Since p is 
a {i;}-boundary point, then C contains literal v. Note that under the assumption 
of the proposition to be proved, if a clause of F with literal v is not satisfied 
by r, this clause has to contain a redundant variable w such that D-sequent 
s — > {w} of J?o holds and s < (r U {(v = 0)}. Let Z be a minimal set of 
variables of X that are present in clauses of G and whose redundancy is stated 
by D-sequents of £2$. Then p is a Z-boundary point of F. Since F is unsatisfiable, 
this point is removable. Then from Proposition [3] it follows that the variables of 
Z are not in redundant in F r > where r' = r U {(v = 0)}. Contradiction. 

Proposition 5. The D-sequents generated by the recomp-Dseqs procedure of 
Figure [6] described in Subsection \7.S\ are correct. 

Proof. Assume the contrary i.e. the D-sequent e' — > {w} obtained from a D- 
sequent e — > {w} of J?o does not hold. This means that there is a {w}-boundary 
point p such that e' < p. It also means that F is unsatisfiable. Let us consider 
the following two cases. 

• Variable v is assigned in p. Then there is a removable {«j}-boundary point 
in subspace e and so the D-sequent e — > {w} of i?o does not hold. Contra- 
diction. 

• Variable v is assigned 1 in p. Let p' be the point obtained from p by flipping 
the value of v. Let G and G' be the clauses of F falsified by p and p' 
respectively. Denote by G" the set of clauses G' \ G. This set consists only of 
clauses having literal v because these are the only new clauses that may get 
falsified after flipping the value of v from 1 to 0. Then using reasoning similar 
to that of Proposition [4j one concludes that every clause of G" contains a 
variable u such that D-sequent s — > {u} of f2o holds and s < (rU{(v = 0)}) 
where r is the assignment of the D-sequent r — > {v} generated for the 
branching variable v. Let Z be a minimal set of such variables. Then any 
clause of G' either contains variable w or a variable of Z. Hence p' is a 
(Z U {u;})-boundary point. Since our assumption implies unsatisfiability of 
F, this boundary point is removable. Let g be equal to e' U {(v = 0)}. Note 
that since r < e' and g contains assignment (v — 0) every variable of Z is 



redundant in F g . On the one hand, since e < g, variable w is redundant in 
F g as well. So the variables of Z U {w} are redundant in F g . On the other 
hand, g < p' and so F g contains a (Z U {if})-boundary point p' that is 
removable in F. From Proposition [3j it follows that variables of (Z U {w}) 
are not redundant in F g . Contradiction. 



8 Experiments 

In this section, we compare DS-QSAT with some well-known SAT-solvers on two 
sets of compositional and non-compositional formulas. In experiments, we used 
the optimization technique described in Section[7j Although, using this technique 
was not crucial for making our points, it allowed to improve the runtimes of DS- 
QSAT. 

Obviously, this comparison by no way is comprehensive. Our objective here 
is as follows. In Subsection |5.2| we argued that DPLL-based SAT-solvers is a 
special case DS-QSAT when it uses eager backtracking. One may think that 
due to great success of modern SAT-solvers, this version of DS-QSAT is simply 
always the best. In this section, we show that is not the case. We give an example 
of meaningful formulas where the opposite strategy of lazy backtracking works 
much better. This result confirms the theoretical prediction of Section [6] 

The results of experiments 
Table 1. Solving compositional formulas with the first set of formulas 

are shown in Tables [T] [2] and 
[3] This set consists of composi- 
tional formulas Fi ( Ai ) A ... A 
F k (X k ) where X^Xj = 0. Every 
subformula Fi is obtained by re- 
naming/negating variables of the 
same satisfiable CNF formula de- 
scribing a 2-bit multiplier. Since every subformula Fi is satisfiable, then formula 
Fx A . . . A F k is satisfiable too for any value of k. 

In the DIMACS format that we 
Table 2. Statistics of Picosat and DS- used in experiments, a variable's name 
QSAT on compositional formulas is a number. In the formulas of Ta- 

ble [l] the variables were named so 
that the DIMACS names of vari- 
ables of different subformulas Fi in- 
terleaved. The objective of negating 
variables was to make sure that if an 
assignment s to the variables of Xi 
satisfies Fi, the same assignment of 
the corresponding variables of Xj is 
unlikely to satisfy Fj. 

In Table [I] we compare DS-QSAT with Minisat (version 2.0), RSat (ver- 
sion 2.01) and Picosat (version 913) on compositional formulas. These formu- 
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las are different only in the value of k. The first three columns of this table 
show the value of k, the number of variables and clauses in thousands. The last 
four columns show the time taken by Minisat, RSat,Picosat and DS-QSAT to 
solve these formulas (in seconds). DS-QSAT significantly outperforms these three 
SAT-solvers. As predicted by Proposition [2j DS-QSAT shows linear complexity. 
On the other hand, the complexity of each of the three SAT-solvers is propor- 
tional to m ■ k 2 where m is a constant. 

Table [2] provides some statistics of the performance of Picosat and DS- 
QSAT on the formulas of Table [T] The second, third and fourth columns give the 
number of conflicts (in thousands), number of decision and implied assignments 
(in millions) for Picosat. In the following three columns, the number of conflict 
nodes of the search tree, number of decision and implied assignments (in thou- 
sands) are given for DS-QSAT. The results of Table [2] show that the numbers 
of conflicts of Picosat and those of conflict nodes of DS-QSAT are compara- 
ble. Besides, for both programs the dependence of these numbers on k is linear. 
However, the numbers of decision and implied assignments made by Picosat and 
DS-QSAT differ by three orders of magnitude. Most importantly, the number 
of assignments made by DS-QSAT (both decision and implied) grows linearly 
with k. On the other hand, the dependence of the number of assignments made 
by Picosat on k is closer to quadratic for both decision and implied assignments. 

Table [3] provides some additional statistics characterizing the performance of 
DS-QSAT on the formulas of Table[T] The second column specifies the maximum 
number of conflict variables that appeared on a path of the search tree. A variable 
v is a conflict one if after making an assignment to v a new clause of F gets 
falsified. This column shows that DS-QSAT kept branching even after thousands 
of conflicts occurred on the current path. 

DS-QSAT reports that a formula is satisfiable 
Table 3. More statistics when the current assignment q docs not falsify a 
of DS-QSAT for compo- clause of F and every variable of F that is not as- 
sitional formulas signed in q is proved redundant. The third column 

of Table[3] gives the value of | Vars(q) \/\ Vars{F)\ (in 
percent) at the time DS-QSAT proved satisfiability. 
Informally, this value shows that DS-QSAT estab- 
lished satisfiability of F knowing only a very small 
fragment of a satisfying assignment. The last col- 
umn of Table [3] shows the maximum number of non- 
redundant unassigned variables that appeared in a 
right branch of the search tree. The number of vari- 
ables in subformulas Fi we used in experiments was equal to 16. As we showed in 
Proposition [2j in the search tree built by DS-QSAT for a compositional formula, 
the number of free variables that may appear in a right branch is bounded by 
I V(-Fi) j i.e by 16. Our experiments confirmed that prediction. The fact that the 
size of right branches is so small means that when solving a formula F of Table [l] 
DS-QSAT dealt only with very small fragments of F. 
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Table 4. Solving non- compositional formulas 
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Generally speaking, the prob- 
lems with compositional formu- 
las can be easily fixed by solving 
independent subformulas sepa- 
rately. Such subformulas can be 
found in linear time by looking 
for strongly connected compo- 
nents of a graph relating clauses 
that share a variable. To elimi- 
nate such a possibility we con- 
ducted the second experiment. In this experiment, we compared DS-QSAT and 
the three SAT-solvers above on non-compositional formulas. Those formulas were 
obtained from the same subformulas Fi obtained from a CNF formula specify- 
ing a 2-bit multiplier by renaming/negating variables. However, now, renaming 
was done in such a way that every pair of subformulas Fi,Fi + i, i = 1, . . . , k — 1 
shared exactly one variable. So now formulas F = Fi(Xi) A . . .AFk(Xk) we used 
in experiments did not have any independent subformulas. Table [3] shows the 
results of the second experiment (all formulas are still satisfiable) . The first two 
columns of Table [4] specify the value of k (i.e. the number of subformulas Fi) 
and the number of variables of F in thousands. The next four columns give the 
runtimes of Minisat, RSat, Picosat and DS-QSAT in seconds. These runtimes 
show that DS-QSAT still outperforms these three SAT-solvers and scales better. 

The last column of Table [4] illustrates the ability of D-sequents to take into ac- 
count formula structure. In this column, we give the runtimes of DS-QSAT when 
it first branched on communication variables (i.e. ones shared by subformulas 
Fi). So in this case, DS-QSAT had information about formula structure. The re- 
sults show that the knowledge of communication variables considerably improved 
the performance of DS-QSAT. 

Table[5]gives some statistics describ- 
ing the performance of DS-QSAT on the 
formulas of Table Q] The second and 
third columns of Table [5] are similar to 
the corresponding columns of Table [3j 
A lot of conflicts occurred on a path of 
the search tree built by DS-QSAT and 
by the time DS-QSAT reported satisfia- 
bility, only a small fragment of a satisfy- 
ing assignment was known. The fourth 
column shows the maximum size of a 
right branch of the search tree built by DS-QSAT (in terms of the number of 
non-redundant variables). The next column gives the ratio of the maximum 
size of a right branch and the total number of variables (in percent). Notice, 
that now the maximum size of right branches is much larger than in the case 
of compositional formulas. Nevertheless, again, DS-QSAT dealt only with very 
small fragments of the formula. The last column gives the maximum size of 
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non- compositional formulas 
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right branches when DS-QSAT first branched on communication variables. Such 
structure-aware branching allowed DS-QSAT to dramatically reduce the size of 
right branches, which explains why DS-QSAT had much faster runtimes in this 
case (shown in the last column of Table [4| . 

Although DS-QSAT performed well on the formulas we used in experiments, 
lazy backtracking is too extreme to be successful on a more general set of bench- 
marks. Let F be a formula to be checked for satisfiability. Let a clause C of F 
be falsified by the current assignment and Z be the set of unassigned variables. 
At this point, any variable v € Z is redundant due to C being falsified. Lazy 
backtracking essentially assumes that by keeping branching in the presence of 
the conflict one will find a better explanation of redundancy of v. A less dras- 
tic approach is as follows. Once clause C gets falsified, a D-sequent r — > Z' is 
derived where r is the shortest assignment falsifying C and Z' consists of some 
variables of Z that are related to clause C. For example, if C is in a subformula 
G of F specifying a design block it may make sense to form Z' of the unassigned 
variables of G. 



9 Background 

In 1960, Davis and Putnam introduced a QSAT-solver that is now called the DP 
procedure [3], Since it performed poorly even on small formulas, a new algorithm 
called the DPLL procedure was introduced in 1962 2 . Two major changes 
were made in the DPLL procedure in comparison to the DP procedure. First, 
the DPLL procedure employed branching and could use different variable order 
in different branches. Second, it changed the semantics of variable elimination 
that the DP procedure was based on. Instead, the semantics of elimination of 
unsatisfiable assignments was introduced. The DPLL procedure backtracks as 
soon as it finds out that the current partial assignment cannot be extended 
to a satisfying assignment. Such eager backtracking is a characteristic feature 
of SAT-solvers i.e. algorithms proving satisfiability by producing a satisfying 
assignment. 

The first change has been undoubtedly a great step forward. The DP proce- 
dure eliminates variables in one particular global order which makes this proce- 
dure very inefficient. The second change however has its pros and cons. On the 
one hand, DPLL has a very simple and natural semantics, which facilitated the 
great progress in SAT-solving seen in the last two decades |15I18I16I11I6I17|T] . 
On the other hand, as we argued before, the necessity to generate a satisfying 
assignment to prove satisfiability deprived DPLL-based SAT-solvers of powerful 
transformations preserving equisatisfiability rather than functional equivalence. 

Generally speaking, transformations preserving equisatisfiability are routinely 
used by modern algorithms, but their usage is limited one way or another. For 
example such transformations are employed in preprocessing where some vari- 
ables are resolved out [5] or redundant clauses are removed [I3j. However, such 
transformations have a limited scope: they are used just to simplify the original 
formula that is then passed to a DPLL-based SAT-solver. Second, transforma- 



tions preserving equisatisfiability are ubiquitous in algorithms on circuit formulas 
e.g. in ATPG algorithms [3]. Such algorithms often exploit the fact that a gate 
becomes unobservable under some partial assignment r. In terms of variable re- 
dundancy, this means that the variable v specifying the output of this gate is 
redundant in subspace r. Importantly, this redundancy is defined with respect 
to a formula where assignments to non-output variables do not matter. Such 
variables can be viewed as existentially quantified and the discarding of clauses 
containing redundant non-output variables does not preserve functional equiva- 
lence. However, such transformations are restricted only to formulas generated 
off circuits and do not form a complete calculus. Typically, these transformations 
are used in the form of heuristics. 

The machinery of D-sequents was introduced in |8I9) . In turn, the notion 
of D-sequents and join operation were inspired by the relation between variable 
redundancy and boundary point elimination [10112) . In |8l7j . we formulated a 
method of quantifier elimination called DDS (Derivation of D-Sequents). Since 
QSAT is a special case of the quantifier elimination problem, DDS can be used 
to check satisfiability. However, since DDS employs eager backtracking, such 
an algorithm is a SAT-solver rather than a QSAT-solver. In particular, as we 
showed in [5] , the complexity of DDS on compositional formulas is quadratic in 
the number k of subformulas, while the complexity of DS-QSAT is linear in k. 



10 Conclusion 



The results of this paper lead to the following three conclusions. 

1) DPLL-based procedures have scalability issues. These issues can be observed 
even on compositional formulas i.e. on formulas with a very simple structure. 
Arguably, the root of the problem, is that DPLL-procedures are designed to 
prove satisfiability by producing a satisfying assignment. This deprives such 
procedures from using powerful transformations that preserve equisatisfiability 
rather than functional equivalence. 

2) D-sequents are an effective tool for building scalable algorithms. In particular, 
the algorithm DS-QSAT we describe in the paper scales well on compositional 
formulas. The reason for such scalability is that DS-QSAT scarifies the ability to 
generate satisfying assignments to tap into the power of transformations preserv- 
ing only equisatisfiability. The essence of transformations used by DS-QSAT is 
to discard large portions of the formula that are proved to be redundant in 
the current subspace. The results of experiments with DS-QSAT on two simple 
classes of compositional and non-compositional formulas show the big promise 
of algorithms based on D-sequents. 

3) In this paper, we have only touched the tip of the iceberg. A great deal of 
issues needs to be resolved to make QSAT-solving by D-sequents practical. 
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